Microsoft Report on IE Security Draws Mozilla Rebuttal

Microsoft is patting itself on the back for having had fewer vulnerabilities in IE than have been found in Firefox.

Microsoft has issued a report on Internet Explorer in which it pats itself on the back for having fewer vulnerabilities in its browser than are in the No. 1 competitor, Mozillas Firefox—a stance that the Mozilla Foundation finds, to put it diplomatically, puzzling.

"Just because dentists fix more teeth in America doesnt mean our teeth are worse than in Africa," Mike Shaver, chief evangelist for Mozilla, said in an interview with eWEEK. Indeed, Shaver said, the biggest thing that Microsoft got wrong is that the study equates bugs being fixed in a browser with that browser being less secure.

"Its something youd expect from maybe an undergrad," he said. "Its very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, theyre somehow less secure."

Microsofts Jeff Jones, a security strategy director in Microsofts Trustworthy Computing group, issued the report, titled "Internet Explorer and Firefox Vulnerability Analysis," on Nov. 30.

The report examines the volume and severity of vulnerabilities in the two browsers since Firefox was launched in November 2004. Its findings: Microsoft has fixed 87 total vulnerabilities (across all supported versions of Internet Explorer) while Mozilla has fixed 199 vulnerabilities in supported Firefox products. Also, Jones said, IE experienced a lower volume of reported vulnerabilities across all categories of severity (high, medium, low).

The analysis is lazy at best, Shaver said, and, taken in the worst light, is "malicious."


Click here to read about DNS and URI handling flaws in Windows XP and Windows Server 2003.

One problem Mozilla has with the study is that it doesnt take into account undocumented patches or those included in service packs. Also, Shaver questioned whether the study counted each individual fix contained in each of Microsofts security advisories. Microsofts individual security advisories have been known to contain up to seven fixes.

"If Mozilla wanted to do better than Microsoft on this report, we would have an easy path: stop fixing and disclosing bugs that we find in-house. It is well known that Microsoft redacts release notes for service packs and bundles fixes, sometimes meaning that you get a single vulnerability counted for, say, seven defects repaired. Or maybe you dont hear about it at all, because it was rolled into SP2 and they didnt make any noise about it," Shaver wrote in a Nov. 30 blog post.

Mozilla is particularly sensitive on the issue given that its worked hard to shrink the time between patch availability and user adoption, decreasing that time by 25 percent in the past year.


Read details here about bug fixes to a recent Firefox upgrade.

"The vast majority [of the Firefox user base] is updated to the most secure version of Firefox in less than a week," Shaver told eWEEK. "Those are the things we measure and talk about publicly. Reports like [Jones] really point the industry in a dangerous direction, which is to say youre [given an incentive] to keep [browser security fixes] quiet. That doesnt keep you safer, it just helps companies hide the real nature of what theyre doing."

This is the second study that Jones has put out in the past few months that claims that Microsoft technology is more secure than its open-source counterparts. In June, he published a study that concluded that Windows Vista had blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest number of serious security vulnerabilities in the first six months following its release.

That earlier study received an equivalent number of raspberries compared with todays browser security study.

Microsoft hadnt responded to queries by the time this article was posted.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.